Plattform
wordpress
Komponente
google-analytics-dashboard-for-wp
Behoben in
9.0.3
CVE-2026-1993 describes a Privilege Escalation vulnerability affecting the ExactMetrics – Google Analytics Dashboard for WordPress plugin. This flaw allows authenticated attackers with the exactmetricssavesettings capability to modify arbitrary plugin settings, potentially granting them unauthorized access and control. The vulnerability impacts versions 7.1.0 through 9.0.2 and has been resolved in version 9.0.3.
An attacker exploiting this vulnerability could leverage the updatesettings() function to manipulate plugin configurations. Specifically, they can modify the savesettings option, which controls user role access to ExactMetrics features. By altering this setting, an attacker with the exactmetricssavesettings capability could effectively elevate their privileges and gain access to administrative functions or sensitive data within the plugin. This could lead to unauthorized data collection, modification of analytics reports, or even complete control over the plugin's behavior. The impact is amplified if the plugin is used to track critical website metrics or integrates with other sensitive systems.
CVE-2026-1993 was publicly disclosed on 2026-03-10. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively low, as it requires authentication with the exactmetricssavesettings capability.
WordPress websites utilizing the ExactMetrics plugin, particularly those with multiple user roles and delegated administrative privileges, are at risk. Shared hosting environments where plugin settings are not tightly controlled are also more vulnerable. Websites relying on ExactMetrics for critical analytics data are especially susceptible to the impact of a successful exploit.
• wordpress / composer / npm:
grep -r 'exactmetrics_save_settings' /var/www/html/wp-content/plugins/exactmetrics/• wordpress / composer / npm:
wp plugin list --status=active | grep exactmetrics• wordpress / composer / npm:
wp plugin update exactmetrics --alldisclosure
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-1993 is to immediately upgrade the ExactMetrics plugin to version 9.0.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the exactmetricssavesettings capability to only trusted administrators. While not a complete solution, this can limit the potential damage from a successful exploit. Review user roles and permissions within the plugin to ensure only authorized personnel have access to configuration settings. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the plugin's code.
Aktualisieren Sie auf Version 9.0.3 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1993 is a HIGH severity vulnerability in the ExactMetrics WordPress plugin allowing attackers to modify plugin settings and potentially gain unauthorized access.
You are affected if you are using ExactMetrics versions 7.1.0 through 9.0.2. Upgrade to 9.0.3 or later to mitigate the risk.
Upgrade the ExactMetrics plugin to version 9.0.3 or later. As a temporary workaround, restrict access to plugin settings to administrators only.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is available.
Refer to the official ExactMetrics website and WordPress plugin repository for the latest security advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.